diff --git a/rpm-4.16.1.3-hashtab-use-after-free-fix.patch b/rpm-4.16.1.3-hashtab-use-after-free-fix.patch
new file mode 100644
index 0000000..eee3cc3
--- /dev/null
+++ b/rpm-4.16.1.3-hashtab-use-after-free-fix.patch
@@ -0,0 +1,13 @@
+diff -up rpm-4.16.1.3/tools/hashtab.c.orig rpm-4.16.1.3/tools/hashtab.c
+--- rpm-4.16.1.3/tools/hashtab.c.orig	2021-07-01 14:51:24.576237269 +0200
++++ rpm-4.16.1.3/tools/hashtab.c	2021-07-01 15:02:42.005754968 +0200
+@@ -292,7 +292,8 @@ htab_expand (htab)
+     }
+   while (p < olimit);
+ 
+-  free (oentries);
++  if (oentries != htab->entries)
++    free(oentries);
+   return 1;
+ }
+ 
diff --git a/rpm.spec b/rpm.spec
index 5fd1b33..89a837e 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -84,6 +84,9 @@ Patch914: 0004-NFC-debugedit-Move-code-to-separate-functions.patch
 Patch915: 0005-debugedit-Implement-DWARF-5-unit-header-and-new-form.patch
 Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch
 
+# Downstream-only patches
+Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch
+
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
 License: GPLv2+